ProblemChild Getting Started question


Just read through ProblemChild: Detecting living-off-the-land attacks using the Elastic Stack | Elastic Blog
which all seems super interesting.

So.. Forgive me for my noobish questions.. But I was wondering how exactly I should start building this on my own Elastic stack.
I guess I need to store the scripts first with How to write scripts | Elasticsearch Guide [7.12] | Elastic ?

As I'm using Winlogbeat, am I supposed to use this pipeline examples/problemchild_features.json at master · elastic/examples · GitHub
while ingesting winlogbeat data so my winlogbeat data contains the correct features fields?

And then do data fram analytics classification on the resulting winlogbeat index?

Best regards,



Hello @willemdh!

Thanks for reaching out. Hope this answers your questions:
Yes you'll first need to set all the scripts (ngram_extractor, normalize_ppath, features_winlogbeat) in your cluster state.
You will then set this ingest pipeline.
Once you've set those, I would suggest using the ingest pipeline to re-index your raw winlogbeat data into another index and using that index to run your Data Frame Analytics jobs. Hope this helps!

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.